Manifest Generation and Editing Tool (Mage.exe)

The Manifest Generation and Editing Tool (Mage.exe) is a command-line tool that supports the creation and editing of ClickOnce application and deployment manifests. As a command-line tool, Mage.exe can be run from both batch scripts and other Windows-based applications, including ASP.NET applications.

Clears the downloaded application cache of all online-only applications.

-n, -NewfileType [newOptions]

Creates a new file of the given type. Valid types are:

Deployment: Creates a new deployment manifest.

Application: Creates a new application manifest.

If you do not specify any additional parameters with this command, it will create a file of the appropriate type, with appropriate default tags and attribute values.

Use the –ToFile option (see in the following table) to specify the file name and path of the new file.

Use the –FromDirectory option (see in the following table) to create an application manifest with all of the assemblies for an application added to the <dependency> section of the manifest.

-u, -Update[filePath] [updateOptions]

Makes one or more changes to a manifest file. You do not have to specify the type of file that you are editing. Mage.exe will examine the file by using a set of heuristics and determine whether it is a deployment manifest or an application manifest.

If you have already signed a file with a certificate, -Update will remove the key signature block. This is because the key signature contains a hash of the file, and modifying the file renders the hash invalid.

Use the –ToFile option (see in the following table) to specify a new file name and path instead of overwriting the existing file.

-s, -Sign[signOptions]

Uses a certificate to sign a file. Signatures are inserted as XML elements inside of the files.

-h, -?, -Help[verbose]

Describes all of the available commands and their options. Specify verbose to get detailed help.

New and Update Command Options

The following table shows the options supported by the –New and –Update commands.

Options

Default Value

Applies To

Description

-appc, -AppCodeBasemanifestReference

Deployment manifests.

Inserts a URL or file path reference to the application manifest file. This file must be the full path to the application manifest.

-appm, -AppManifestmanifestPath

Deployment manifests.

Inserts a reference to a deployment's application manifest into its deployment manifest.

The file indicated by manifestPath must exist, or Mage.exe will issue an error. If the file referenced by manifestPath is not an application manifest, Mage.exe will issue an error.

-cf, -CertFilefilePath

All file types.

Specifies the location of a digital certificate for signing a manifest. This option can be used in conjunction with the –Password option, if the certificate requires a password.

-ch, -CertHashhashSignature

All file types.

The hash of a digital certificate stored in the personal certificate store of the client computer. This corresponds to the Thumbprint string of a digital certificate viewed in the Windows Certificates Console.

hashSignature can be either uppercase or lowercase, and can be supplied either as a single string, or with each octet of the Thumbprint separated by spaces and the entire Thumbprint enclosed in quotation marks.

-fd, -FromDirectorydirectoryPath

Application manifests.

Populates the application manifest with descriptions of all assemblies and files found in directoryPath, where directoryPath is the directory that contains the application that you want to deploy. For each file in the directory, Mage.exe decides whether the file is an assembly or a static file. If it is an assembly, it adds a <dependency> tag and installFrom attribute to the application with the assembly's name, code base, and version. If it is a static file, it adds a <file> tag. Mage.exe will also use a simple set of heuristics to detect the main executable for the application, and will mark it as the ClickOnce application's entry point in the manifest.

Mage.exe also generates a hash for each file based on its size. ClickOnce uses these hashes to ensure that no one has tampered with the deployment's files since the manifest was created. If any of the files in your deployment change, you can run Mage.exe with the –Update command and the –FromDirectory option, and it will update the hashes and assembly versions of all referenced files.

-FromDirectory will include all files in all subdirectories found within directoryPath.

If you use –FromDirectory with the –Update command, Mage.exe will remove any files in the application manifest that no longer exist in the directory.

-i, -InstallwillInstall

true

Deployment manifests.

Indicates whether or not the ClickOnce application should install onto the local computer, or whether it should run from the Web. Installing an application gives that application a presence in the Windows Start menu. Valid values are "true" or "t", and "false" or "f".

If you specify the –MinVersion option, and a user has a version less than -MinVersion installed, it will force the application to install, regardless of the value that you pass to -Install.

This option cannot be used with the -BrowserHosted option. Attempting to specify both for the same manifest will result in an error.

-mv, -MinVersion [version]

The version listed in the ClickOnce deployment manifest as specified by the -Version flag.

Deployment manifests.

The minimum version of this application a user can run. This flag makes the named version of your application a required update. If you release a version of your product with an update to a breaking change or a critical security flaw, you can use this flag to specify that this update must be installed, and that the user cannot continue to run earlier versions.

version has the same semantics as the argument to the -Version flag.

-n, -NamenameString

deploy

All file types.

The name that is used to identify the application. ClickOnce will use this name to identify the application in the Start menu (if the application is configured to install itself) and in Permission Elevation dialog boxes.

-pwd, -Passwordpasswd

All file types.

The password that is used for signing a manifest with a digital certificate. Must be used in conjunction with the –CertFile option.

-p, ProcessorprocessorValue

msil

Application manifests.

Deployment manifests.

The microprocessor architecture on which this distribution will run. This value is required if you are preparing one or more installations whose assemblies have been precompiled for a specific microprocessor. Valid values include msil, x86, ia64, and amd64. msil is Microsoft intermediate language, which means all of your assemblies are platform-independent, and the common language runtime (CLR) will just-in-time compile them when your application is first run.

-pu,-ProviderUrlurl

Deployment manifests.

Specifies the URL which ClickOnce will examine for application updates.

-pub, -PublisherpublisherName

Application manifests.

Deployment manifests.

New in the .NET Framework 3.5.

Adds the publisher name to the description element of either the deployment or application manifest. When used on an application manifest, -UseManifestForTrust must also be specified with a value of "true" or "t"; otherwise, this parameter will raise an error.

-ti, -TimestampUriuri

Application manifests.

Deployment manifests.

The URL of a digital timestamping service. Timestamping the manifests prevents you from having to re-sign the manifests should your digital certificate expire before you deploy the next version of your application. Currently, only Verisign supports the timestamping service. The URI supplied as the argument must be "http://timestamp.verisign.com/scripts/timstamp.dll".

-tr, -TrustLevellevel

Based on the zone in which the application URL resides.

Application manifests.

The level of trust to grant the application on client computers. Values include "Internet", "Intranet", and "FullTrust".

-t, -ToFilefilePath

New:

Deployment: deploy.application

Application: application.exe.manifest

Update:

The input file.

All file types.

Specifies the output path of the file that has been created or modified.

If –ToFile is not supplied when you use –New, the output is written to the current working directory. If –ToFile is not supplied when you use –Update, Mage.exe will write the file back to the input file.

-u, -UseManifestForTrustwillUseForTrust

false

Application manifests.

New in the .NET Framework 3.5.

Specifies whether the digital signature of the application manifest will be used for making trust decisions when the application runs on the client. Specifying "true" or "t" indicates that the application manifest will be used for trust decisions. Specifying "false" or "f" indicates that the signature of the deployment manifest will be used.

-v, -VersionversionNumber

1.0.0.0

Application manifests.

Deployment manifests.

The version of the deployment. The argument must be a valid version string of the format "N.N.N.N", where "N" is an unsigned 32-bit integer.

-wpf, -WPFBrowserApp isWPFApp

false

Application manifests.

Deployment manifests.

New in the .NET Framework 3.5.

Use this flag only if the application is a Windows Presentation Foundation (WPF) application that will be hosted inside of Internet Explorer, and is not a stand-alone executable. Valid values are "true" or "t", and "false" or "f".

For application manifests, inserts the hostInBrowser attribute under the entryPoint element of the application manifest.

For deployment manifests, sets the install attribute on the deployment element to false, and saves the deployment manifest with a .xbap extension. Specifying this argument along with the -Install argument produces an error, because a browser-hosted application cannot be an installed, offline application.

Sign Command Options

The following table shows the options supported by the –Sign command, which apply to all types of files.

Options

Description

-cf, -CertFilefilePath

Specifies The location of a digital certificate for signing a manifest. This option can be used in conjunction with the –Password option.

-ch, -CertHashhashSignature

The hash of a digital certificate stored in the personal certificate store of the client computer. This corresponds to the Thumbprint property of a digital certificate viewed in the Windows Certificates Console.

hashSignature can be either uppercase or lowercase, and can be supplied either as a single string or with each octet of the Thumbprint separated by spaces and the entire Thumbprint enclosed in quotation marks.

-p, -Passwordpasswd

The password that is used for signing a manifest with a digital certificate. Must be used in conjunction with the –CertFile option.

-t, -ToFilefilePath

Specifies the output path of the file that has been created or modified.

Signing is the last task you should perform, because a signed document uses a hash of the file to verify that the signature is valid for the document. If you make any changes to a signed file, you must sign it again. If you sign a document that was previously signed, Mage.exe will replace the old signature with the new.

When you use the –AppManifest option to populate a deployment manifest, Mage.exe will assume that your application manifest will reside in the same directory as the deployment manifest within a subdirectory named after the current deployment version, and will configure your deployment manifest appropriately. If your application manifest will reside elsewhere, use the –AppCodeBase option to set the alternate location.

The –TrustLevel option for application manifests describes the permission set an application requires to run on the client computer. By default, applications are assigned a trust level based on the zone in which their URL resides. Applications deployed over a corporate network are generally placed in the Intranet zone, while those deployed over the Internet are placed in the Internet zone. Both security zones place restrictions on the application's access to local resources, with the Intranet zone slightly more permissive than the Internet zone. The FullTrust zone gives applications complete access to a computer's local resources. If you use the –TrustLevel option to place an application in this zone, the Trust Manager component of the CLR will prompt the user to decide whether he or she wants to grant this higher level of trust. If you are deploying your application over a corporate network, you can use Trusted Application Deployment to raise the trust level of the application without prompting the user.

Application manifests also support custom trust sections. This helps your application obey the security principle of requesting least permission, as you can configure the manifest to demand only those specific permissions that the application requires in order to execute. Mage.exe does not directly support adding a custom trust section. You can add one using a text editor, an XML parser, or the graphical tool MageGUI.exe. For more information about how to use MageGUI.exe to add custom trust sections, see Manifest Generation and Editing Tool, Graphical Client (MageUI.exe).

The following examples create a default deployment manifest and application manifest. These files are all created in the current working directory and are named deploy.application and application.exe.manifest, respectively.